State Student Privacy Laws

state-privacy-law-map-from-ncslIn addition to the federal student privacy laws,  states have passed many  student privacy laws in recent years since the controversy over inBloom Inc. first erupted.

In 2014,  110 bills were introduced on student data privacy in 36 states, with 24  signed into law.  In  2015, more than 180 student privacy bills were introduced, of which 28 became laws.

In 2016,  34 states introduced 112 bills, of which 18 passed in 15 states, according to the Data Quality Campaign.  The latest DQC report  shows the trend has not diminished in force.   2017, 36 states introduced 95 bills and passed 31 new laws addressing the use and privacy of student data.

Links to some recent state laws are below, including some not included in the above summaries.  The longer descriptions are from the National Conference of State Legislatures.  You should check out their website as well as back here for updates.

  • California : SB 1177 or Student Online Personal Information Protection Act (SOPIPA)  (2014). Summary by Cooley LLP.   SOPIPA prohibits an operator of a website, online service, online application or mobile application from knowingly engaging in targeted advertising to students or their parents or legal guardians. These services and applications also may not use covered information to amass a profile about a K-12 student, sell a student’s information or disclose covered information. The law also addresses security procedures and practices of covered information in order to protect information from unauthorized access, destruction, use, modification or disclosure.  A very comprehensive guide was released in Nov. 2016 by the CA Attorney General office on SOPIPA as well as the two other CA student privacy laws listed below.   Also see the Data Privacy Guide (2015)  on CA student privacy laws,  produced by CETPA, the CCSESA and Fagen Friedman & Fulfrost.
  • California: AB-1584  (2014) Pupil records: privacy: 3rd-party contracts: digital storage services and digital educational software.  Now incorporated as CA Education Code Section  49073.1
  • CaliforniaAB-2799 (2016) Privacy: personal information: preschool and prekindergarten purposes.  Applies student privacy protections to preschool personal data.
  •  Colorado: HB14-1294 (2014);  the Student Data Privacy Act, requires the State Board of Education to publish an inventory of the individual student data currently in the student data system as required by state and federal education mandates, as well as any student data proposed for inclusion in this system. It prohibits the Department of Education from providing individual student data to other organizations or agencies outside the state except under specified circumstances.
  • Georgia: SB 89 (2015), the Student Data Privacy, Accessibility and Transparency Act, requires an inventory of data elements being collected, including a reason for why each is collected; gives parents rights to review their child’s education record and requires schools to provide electronic copies of student records to their parents upon request; requires development of a data security plan for the state data system; requires technology providers working with schools to develop appropriate security procedures and prohibits them from selling personal information about students or using it for targeted advertising; and provides for the Department of Education to designate a Chief Privacy Officer.
  • Idaho: SB 1372 (2014), the Student Data Accessibility, Transparency and Accountability Act of 2014, requires the State Board of Education to create, publish and make publicly available a data inventory that defines individual student data fields included in the student data system. The index must include any individual student data required to be reported by state and federal education mandates; any individual student data proposed for inclusion in the student data system with a statement explaining the reason for inclusion; and any individual student data collected or maintained with no current purpose or reason. The board is required to ensure that any contracts that govern databases, online services, assessments or instructional supports that include student data and are outsourced to private vendors, include express provisions that safeguard privacy and security, contain the restrictions on secondary uses of student data, and provide for data destruction. The act also includes penalties for noncompliance.
  • New York: Education law SB 6356 (2014; but not yet fully enforced as of October 2016) in two parts: § 2-c.  Release of student information to certain entities and § 2-d. Unauthorized release of personally identifiable information . Prohibits the Department of Education from providing personally identifiable information to service providers, calls for destruction of any data already provided and allows districts to opt out of providing students’ personally identifiable information to any party for inclusion in a data dashboard. It also creates a new position of chief privacy officer, who must make security and privacy policy recommendations and develop procedures for transparency, notification and parent complaints; calls for a parents’ bill of rights for data privacy and security and a data inventory; and lays out guidelines for contracting with service providers.
  • Oklahoma: HB 1989 (2013), the Student Data Accessibility, Transparency and Accountability Act, requires public reporting of which student data are collected by the state, mandates creation of a statewide student data security plan, and limits the data that can be collected on individual students and how that data can be shared. It establishes new limits on the transfer of student data to federal, state, or local agencies and organizations outside Oklahoma. It also restricts the state from requesting delinquency records, criminal records, medical and health records, social security numbers and biometric information as part of student data collected from local schools and districts.
  • Rhode Island: HB 7124 (2014) limits the use of student data and information obtained by cloud computing service providers when providing services to K-12 educational institutions. It also prohibits the use of such data for commercial purposes, including advertising that benefits the service provider.
  • West Virginia: HB 4316 (2014) outlines state, district and school responsibilities for data inventory and provides for a data governance officer. It requires the State Board of Education to develop guidelines for school districts, requiring them to notify parents of their right to request student information and allow parents to access data specific to their child’s educational record; ensure security when providing student data to parents; make sure student data is provided only to authorized individuals; and detail the time frame within which record requests must be provided.      

State Social Media Legislation

Arkansas

California

Delaware

Illinois (allows schools to request access to personal accounts)

Illinois (bill introduced requiring schools districts to seek a court order to access personal accounts)

Louisiana

New Jersey

Michigan

New Mexico

Oregon

Rhode Island

Utah

Wisconsin